Robert Bradshaw wrote: > On Nov 27, 2009, at 5:10 AM, Dr. David Kirkby wrote: >> On Solaris one can block outgoing ports in a zone, without affecting >> the rest of >> the machine. In fact, if someone gets root access in a zone, they >> can do no >> damage elsewhere. >> >> I know one of the BSD's supports a 'jail', where again the same >> could be done. I >> do not know about Linux, but perhaps it has a similar system, where >> you can run >> an insecure service in a zone/jail/restricted area, so any hacker >> can't do much >> damage. > > We run the whole notebook inside a VM, which means it'd be really > difficult to get out and cause damage on the hosting machine. There > needs to be better support for isolating user processes from the > notebook process and from each other.
I must admit, I do not know if the virtual machines are more/less secure than zones. My gut feeling is a zone would be more secure than a virtual machine, but I might be wrong. A belt-and-braces approach of running a Virtual machine in a zone is probably not a bad idea. > I think the real concern is, however, spammers using the cpu and > network connection from the notebook to send emails, host fake > webpages, do cross-site scripting attacks, etc. rather than hijack the > notebook server machine itself. In fact, if they're doing the above, > it's best not to disrupt the normal server operation so as to go > longer unnoticed. Can you not enable a firewall on the virtual machine, which blocks all unnecessary ports? If the virtual machine is a only a Sage server, and nothing else, there is no reason to allow incoming connections from the outside world to any port other than the one used by the Sage server. No outgoing connections net be permitted at all, except for those made in response to the incoming connections, which I assume the firewall can sort out (in ipfilter, one uses the 'keep state' keyword to do this). I've found when building firewalls, it is very easy to mess up and block oneself out. What I do, until I am happy the firewall is correct, is to add something in crontab which disables the firewall every 5 minutes. Then if I manage to lock myself out, I know I'll be able to get reconnected in 5 minutes or less. >> Perhaps there is a project there, to get a computer science student >> to find all >> the ways to attack a Sage server, and then fix any problems. > > Actually, someone did a Masters project on just this. Perhaps the firewall has been covered then. Is the MSc project available online? I'd be interested to read it if possible. Though you might think it more appropriate to not make it public, until issues highlighted have been resolved. >> If you serve only static pages, it is very difficult for someone to >> attack a web >> server. But once you start supporting scripting languages like PHP, >> or CGI >> scripts, the avenues for attack increase. I would see Sage would >> fall into the >> latter category. > > Especially as each notebook cell is as good as a shell account > already :) > > - Robert Yes, it's clear that security can be a big issue with Sage. I know some projects and companies have set up servers and invited others to attack them. It's way to find problems! -- To post to this group, send an email to sage-devel@googlegroups.com To unsubscribe from this group, send an email to sage-devel-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URL: http://www.sagemath.org